IETF Logo Mail Archive

Re: [Emu] EAP and Fragmentation

"Dr. Pala" <director@openca.org> Fri, 15 February 2019 00:45 UTC

Return-Path: <director@openca.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F0F0128B01 for <emu@ietfa.amsl.com>; Thu, 14 Feb 2019 16:45:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zCKA7ttGBJ1z for <emu@ietfa.amsl.com>; Thu, 14 Feb 2019 16:45:16 -0800 (PST)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id 5B417126D00 for <emu@ietf.org>; Thu, 14 Feb 2019 16:45:16 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id 2509037412C2; Fri, 15 Feb 2019 00:45:16 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id O14oYA_MlHnG; Thu, 14 Feb 2019 19:45:15 -0500 (EST)
Received: from Maxs-MBP.cablelabs.com (unknown [192.160.73.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id 2813D3740FD2; Thu, 14 Feb 2019 19:45:15 -0500 (EST)
To: Alan DeKok <aland@deployingradius.com>
Cc: Mohit Sethi <mohit.m.sethi@ericsson.com>, EMU WG <emu@ietf.org>
References: <f7548f45-e9ed-3c96-fd55-d87006c5ce70@openca.org> <894F23B3-59EA-4DE6-BC12-417C79850CC4@deployingradius.com>
From: "Dr. Pala" <director@openca.org>
Organization: OpenCA Labs
Message-ID: <221e1f29-98c0-f232-eb25-db8ef75af16a@openca.org>
Date: Thu, 14 Feb 2019 17:45:14 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <894F23B3-59EA-4DE6-BC12-417C79850CC4@deployingradius.com>
Content-Type: multipart/alternative; boundary="------------25613132F7785DAA883704C4"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/HlSEqgEy6934oPVaSnd3vzGJ4_Q>
Subject: Re: [Emu] EAP and Fragmentation
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 00:45:18 -0000

Hi Alan,

thanks for the answers... aligned with what I thought and they do make 
sense... :D Further considerations inline...

On 2/12/19 11:26 AM, Alan DeKok wrote:
> On Feb 12, 2019, at 12:36 PM, Dr. Pala <director@openca.org> wrote:
> [...]
>> This, led me to my first question: is there a de-facto "standard" way to add Fragmentation support we can just use (without having to re-invent the wheel all the time) ?
>    No.
Too bad... :(
>> If we had such a mechanism, then we could just say "implement the mechanism as defined in ... ". This would definitely help developers that could safely re-use code/libraries. The other approach would be to modify EAP to add Fragmentation support there.
>    I suspect that it's difficult to "modify EAP".  However, adding a standard fragmentation method would be definitely useful.

I agree that (a) it would be useful and (b) it would be difficult to 
modify EAP :D It seems to me that EAP made a too simple header... :D

> [ ... ]
>
>    If it's an EAP type that only appears inside of a TLS tunnel, then don't worry too much about fragmentation.
>
>    If the data you're sending will be larger than 64K, you *will* need to provide your own fragmentation support.  But that's only because the EAP header has a 16-bit "Length" field.
>
Yep, that is why the AVP/TLVs use the internal 'L' bit and the 32bits 
length field to address that. I think that to keep the method simple, we 
will require that the method is executed as an internal method of a 
Tunneled method that provides (a) authentication of the server (and 
optionally of the client), and (b) secrecy of the transferred data.

This allows us to:

  * Remove the support for Fragmentation (but we need to require that
    the data is appropriately handled by the encapsulating method)
  * Do not have to implement crypto-parameters negotiation for the outer
    tunnel

The draft will require a well-written security section to make sure that 
deployments do not use the method without proper security around it.

>> Looking forward to some great guidance and advice :D Also, if you would like to collaborate/contribute, please let me know!
>    I've been known to have opinions.  :)  Plus, it's useful to have credential provisioning methods.
>
... and I've been known to have ears and eyes to listen and read :D That 
works perfectly!

Thanks for the feedback!

Cheers,

-- 
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

v2.23.0 | Report a Bug | By Email